PRO-3000.07H: Change and Release Management Procedure

Intended Audience: University personnel responsible for managing University computing and networking devices
Procedure Owner: Director of Information Security 

1. Definitions

Change Advisory Board 

A group of technical experts, management, and stakeholders that evaluate and approve information technology (IT) service changes. 

Change Management 

The process by which changes are recorded, evaluated, authorized, prioritized, planned, tested, implemented, documented, and reviewed in a controlled manner. Change Management processes ensure that standardized methods are used for the efficient and prompt handling of all changes and that overall business risk is minimized. 

Emergency Change 

Changes that must be done quickly due to a serious threat or service interruption. Examples include zero-day vulnerability patches or enterprise system failure fixes. 

Normal Change 

Any changes that cannot be classified as an Emergency Change or Standard Change. Examples include application software upgrades or application configuration changes. 

Release Management 

The process of managing, planning, scheduling, and communicating a system or application change. Release Management occurs after changes are approved. 

Standard (pre-authorized) Change 

Changes done on a regular schedule and/or in a repetitive manner. Examples are the installation of monthly Microsoft operating system patches or a test database refresh. These changes do not require approval from the Change Advisory Board, but they must be documented. Customers must be notified if there is the potential for service interruptions. 

2. Introduction 

OCIO 141.10: 8.1 

Changes to any information technology (IT) system should be done using formal, documented Change and Release Management procedures. Separate procedures are required for Standard, Normal, and Emergency changes, though they all may share some common steps.

3. Standard Changes

Standard Changes should follow the same process each time they are implemented for a particular change (e.g., Windows patches). Standard changes have the following eight steps:

3.1 Review of Release Notes 

For commercial or open-source applications, functional and system analysts review release notestogether with database administrators, if applicableto determine the dependencies between modules on other environments and on integrations with other Western systems.

3.2 Testing of Changes 

Evaluate Standard Changes in a test environment or test population prior to full deployment in production.

3.3 Recovery/Rollback Planning 

Document and test the procedures for backup and recovery of a system or rollback of a change prior to implementing a change. If no environment exists to test a change, a recovery/rollback plan can serve to mitigate risk from the change. Routine changes can utilize the same Recovery/Rollback plan each time they happen.

3.4 Change Requests 

Log Standard Changes in the appropriate change management system [e.g., the Information Technology Services (ITS) ticketing system Jira].

3.5 Release Management Planning 

Standard Changes may use the same Release Management plan each time the change happens. Include the following in the Release Management plan: 

  1. Personnel (title or name) performing the change. 
  2. Description of the release process. 
  3. Release schedule(s). 
  4. Any stakeholder communications required for the change. 
  5. Add the Release Management plan to the Change Request ticket. 

3.6 Communications 

Inform the users impacted by a change of the change and its impact, as detailed in the Release Management Plan.

3.7 Implementation 

Make changes as per the Release Management plan.

3.8 Closure 

After completion of a change, inform users, as appropriate to the magnitude of the change, and close the Change Request ticket.

4. Normal Changes

Normal Changes are typically used for application upgrades, hardware changes, and system configuration changes; however, they may include any type of non-Emergency or non-Routine Change. Normal Changes have the following nine steps:

4.1 Review of Release Notes 

For commercial or open-source applications, functional and system analysts review release notestogether with database administrators, if applicableto determine the dependencies between modules on other environments and on integrations with other Western systems.

4.2 Testing of Changes 

Evaluate Normal Changes in a test environment or test population, prior to full deployment in production.

4.3 Recovery/Rollback Planning 

Document and test the procedures for backup and recovery of a system or roll backup of a change prior to implementing a change. If no environment exists to test a change, a recovery/rollback plan can serve to mitigate risk from the change.

4.4 Change Requests 

Log all Standard Changes in the ITS ticketing system (Jira).

4.5 Change Approval 

Send Normal Change Requests to the Change Management Advisory Board for approval a week before the actual change. Include in the Request a description of the change, along with any end-user impacts and risks that might result from the change.

4.6 Release Management Planning 

After a change is approved, create a Release Management Plan, and add it to the Change Request ticket. The plan should include: 

  1. Personnel (title or name) performing the change 
  2. Description of the release process 
  3. Release schedule(s) 
  4. Any stakeholder communications required for the change. 

4.7 Communications 

Inform the users impacted by a change of the change and its impact, as detailed in the Release Management Plan.

4.8 Implementation 

Make changes as per the Release Management plan.

4.9 Closure 

After completion of a change, inform users, as appropriate to the magnitude of the change, and close the Change Request ticket.

5. Emergency Changes

Emergency Changes are typically used when there is a service failure or security threat. Emergency Changes have the following nine steps:

5.1 Review of Release Notes

For commercial or open-source applications, if release notes or other documentation are available, they should be reviewed by functional and system analysts—together with database administrators, if applicable—to determine the dependencies between modules on other environments and on integrations with other Western systems.

5.2 Testing of Changes

If possible, evaluate Emergency Changes in a test environment prior to deployment in production.

5.3 Backup and Recovery/Rollback Planning 

Document and test the procedures for backup and recovery of a system or rollback of a change prior to implementing an Emergency Change. If possible, backup the systems prior to the change. If no environment exists to test the change, a recovery/rollback plan can serve to mitigate risk from the change.

5.4 Change Requests

Log all Emergency Changes in the ITS ticketing system Jira.

5.5 Change Approval

An ITS Director may approve Emergency Change Requests changes impacting departmental users or for a limited scope of users. The University’s Chief Information Officer must approve Emergency Changes for mission critical, enterprise, system of record, or high-use systems. For either case, approval may be via email or phone call. Note the approval in the Jira ticket.

5.6 Release Management Planning 

After a change is approved, create a Release Management Plan and add it to the Change Request ticket. The plan should include: 

  1. Personnel (title or name) performing the change. 
  2. Description of the release process. 
  3. Release schedule(s). 
  4. Any stakeholder communications required for the change. 

5.7 Communications 

Inform the users impacted by a change of the change and its impact, as detailed in the Release Management Plan.

5.8 Implementation 

Make changes per the Release Management plan.

5.9 Closure 

After completion of a change, inform users and close the Change Request ticket.

6. References

1. Information Technology Services guideline GDL-3000.07H: Change and Release Management Guideline 

Change Log 

Revised 

Version 

Author 

Approver 

Change 

06/18/2021 

1.0 

Beth Albertson 

ITS Standards & Guidelines Committee 

Original Version